Sophos
From SixXS Wiki
This article explains how to configure a Sophos for SixXS.
Part 1 describes how to configure a heartbeat-tunnel between your Sophos firewall and an IPv6 tunnel provider.
In part 2 a subnet is configured on the Sophos to allow the machines behind the firewall to connect to the Internet natively with IPv6 via the tunnel.
The configuration was tested on a Sophos UTM 9-120 with ASG 9.210-20 but should apply similarity to other Sophos units.
Part 1: Setting up a tunnel
Once your tunnel request has been approved you should have the following information:
POP v4 address (e.g. 1.2.3.4, provided by the tunnel broker) (not needed for heartbeat) POP v6 address (e.g. 2001:db8:123::1/64, provided by the tunnel broker) Your v4 address (e.g. 5.6.7.8, provided by you) , Not needed for heartbeat Your v6 address (e.g. 2001:db8:123::2/64, provided by the tunnel broker)
- Login to the WebAdmin webpage of your Sophos firewall, usual on port 4444
- Go to Interfaces & Routing / IPv6 / Global, and enable IPv6
- Go to Interfaces & Routing / IPv6 / Tunnel Broker, enable it and fill in the following information:
Authentication = User Broker = SixXS Username = <your username to login on www.sixxs.net and whois info>, eg ABC1-SIXXS Password = The password of the account
After you select Apply, the firewall WILL reboot without any warnings !
- Go to Interfaces & Routing / IPv6 / Tunnel Broker on the Advanced section, and fill in the Tunnel ID, eg T123456
The Server Address should be tic.sixxs.net
Part 2: Setting up a subnet
After requesting the subnet from SixXS you should have the following information:
IPv6 Prefix address (e.g. 2001:db8:8abc::/64) Find the best DNS cache on [1] (e.g. nscache.eu.sixxs.net) Find the best NTP server on [2] (e.g. ntp.eu.sixxs.net)
- Login to the WebAdmin webpage of your Sophos firewall, usual on port 4444
- Go to Interfaces & Routing / Interfaces, and add the IPv6 number to the internal ethernet interface (e.g. 2001:db8:8abc::1/64, do not omit the last 1)
- Go to Support / Tools / DNS Lookup, and enter the DNS cache name (e.g. nscache.eu.sixxs.net). Select Apply, and write down one of the ipnumbers
- Go to Network Services / DNS / Forwarders, and add the just found ipnumber to the list of forwarders. I also disabled the option "Use forwarders assigned by ISP", and added those DNS servers also as forwarders.
- Go to Network Services / DNS / Global, and allow the internal network access to DNS.
- Go to Management / System Settings / Time and Date / NTP Servers, and add a "DNS Group" to the NTP-pool with the dns name (e.g. ntp.eu.sixxs.net).
- Optional: Go to Network Services / NTP, enable it, and add the internal network access to NTP. You could add DHCP option 4, with the internal address card)
- Go to Interfaces & Routing / IPv6 / Prefix Advertisments, and add a prefix on the internal interface. Use the IPv6 firewall address (e.g.2001:db8:8abc::1) as DNS server and optional the caching DNS server of SixXS.